Critical Dell RecoverPoint Vulnerability Exploited by Chinese Hackers Since 2024
A critical security flaw in Dell’s RecoverPoint for Virtual Machines (RP4VM) has been actively exploited by a China-linked cyber espionage group, UNC6201, since mid-2024. This vulnerability, identified as CVE-2026-22769, carries a maximum CVSS score of 10.0 due to hardcoded credentials that allow unauthenticated remote attackers to gain root-level access to the underlying operating system.
Vulnerability Details
CVE-2026-22769 affects RP4VM versions prior to 6.0.3.1 HF1. The flaw resides in the Apache Tomcat Manager component, which contains hardcoded credentials for the admin user. Attackers with knowledge of these credentials can authenticate to the Tomcat Manager, deploy malicious web shells, and execute commands with root privileges. Dell has acknowledged the severity of this issue, emphasizing the potential for unauthorized access and persistent control over affected systems.
Exploitation by UNC6201
UNC6201, a threat actor with suspected ties to China, has been exploiting this vulnerability since at least mid-2024. Their campaign involves deploying custom malware, including the BRICKSTORM backdoor and its more advanced successor, GRIMBOLT. GRIMBOLT, a C#-based backdoor compiled using native ahead-of-time (AOT) compilation, is designed to evade detection and minimize forensic traces on infected hosts.
The attackers have also employed stealthy techniques such as creating temporary virtual network interfaces, known as Ghost NICs, on compromised virtual machines. These interfaces facilitate lateral movement within networks and are deleted post-operation to hinder detection and investigation efforts.
Impacted Versions and Remediation
The following RP4VM versions are affected by CVE-2026-22769:
– Version 5.3 SP4 P1: Users should migrate to 6.0 SP3 and then upgrade to 6.0.3.1 HF1.
– Versions 6.0 through 6.0 SP3 P1: Users should upgrade directly to 6.0.3.1 HF1.
– Versions 5.3 SP4 and earlier: Users should upgrade to version 5.3 SP4 P1 or a 6.x version, followed by the necessary remediation.
Dell strongly recommends deploying RP4VM within trusted, access-controlled internal networks protected by appropriate firewalls and network segmentation. The product is not intended for use on untrusted or public networks.
Mitigation Measures
To protect against potential exploitation, organizations should:
1. Apply Patches Promptly: Upgrade to RP4VM version 6.0.3.1 HF1 or later to address the vulnerability.
2. Restrict Network Access: Ensure RP4VM is deployed within secure, access-controlled internal networks with appropriate firewall configurations.
3. Monitor for Indicators of Compromise (IoCs): Be vigilant for signs of unauthorized access, such as unexpected network interfaces or unusual system behavior.
4. Implement Endpoint Detection and Response (EDR) Solutions: Deploy EDR tools to monitor and respond to suspicious activities, even on systems that traditionally lack such protections.
Conclusion
The exploitation of CVE-2026-22769 underscores the importance of timely vulnerability management and robust network security practices. Organizations using Dell’s RecoverPoint for Virtual Machines must act swiftly to apply the necessary updates and implement recommended security measures to mitigate the risk posed by this critical flaw.
